CVE-2025-61865 is a security vulnerability identified in the NarSuS App developed by I-O DATA DEVICE, INC. The root cause is an unquoted search path or element in the Windows service registration for this application. When a Windows service executable path contains spaces but is not enclosed in quotes, Windows may incorrectly parse the path and execute malicious binaries placed in certain directories along the path. In this case, a user who has write permissions on the root directory of the system drive (commonly C:\) can place a crafted executable that will be run with SYSTEM privileges when the service starts or restarts. This effectively allows privilege escalation from a user with write access on the root drive to full SYSTEM-level control. The vulnerability affects all versions of NarSuS App prior to version 2.33. The CVSS v3.0 base score is 6.7, reflecting medium severity, with attack vector local (AV:L), low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). There are no known exploits in the wild at the time of publication, but the vulnerability is significant due to the potential for complete system compromise. Mitigation involves patching to version 2.33 or later and restricting write permissions on the system drive root directory to trusted administrators only. This vulnerability is particularly relevant for environments where multiple users have local access or where endpoint security is lax. The unquoted service path issue is a well-known Windows security weakness that has been exploited in various contexts, emphasizing the need for secure service configuration and permission management.

For European organizations, the impact of CVE-2025-61865 can be substantial, especially in environments where multiple users have local access or where endpoint security controls are insufficient. Successful exploitation leads to privilege escalation to SYSTEM level, enabling attackers to execute arbitrary code with the highest Windows privileges. This can result in complete system compromise, data theft, disruption of services, and lateral movement within networks. Critical infrastructure, government agencies, and enterprises using NarSuS App on Windows systems are at risk of operational disruption and data breaches. The vulnerability could be leveraged by insider threats or attackers who have gained limited local access. The medium CVSS score reflects the requirement for local access and high privileges, which somewhat limits remote exploitation but does not diminish the severity of impact once exploited. European organizations must consider the risk in the context of compliance with data protection regulations such as GDPR, where unauthorized access and data breaches carry significant legal and financial consequences.

1. Immediately upgrade NarSuS App to version 2.33 or later where the unquoted service path issue is resolved. 2. Restrict write permissions on the root directory of the system drive (e.g., C:\) to trusted administrators only, preventing unauthorized users from placing malicious executables. 3. Audit existing Windows services for unquoted service paths and correct them by enclosing executable paths in quotes. 4. Implement application whitelisting to prevent unauthorized executables from running with SYSTEM privileges. 5. Employ endpoint detection and response (EDR) solutions to monitor for suspicious activity related to service execution and privilege escalation attempts. 6. Enforce the principle of least privilege for all user accounts to minimize the number of users with write access to critical system locations. 7. Conduct regular security training to raise awareness about local privilege escalation risks. 8. Monitor system logs for unusual service start events or unexpected executable launches from system directories. These steps go beyond generic advice by focusing on permission hardening, service configuration auditing, and proactive monitoring specific to this vulnerability type.